September 2010 Archives

You might have noticed an article yesterday on CSO Online titled "Akamai releases 'game changing' cloud-based payment service" and wondered "that's interesting - I wonder what it all means?" That was certainly the case for me and, I have to say, I'm a little disappointed now that I've gotten under the hood a bit.

Before I go any further, let me be clear on something up front: I think this technology is a good thing, I think what Akamai is doing is laudable, and I hope that merchants make use of the solution. I've been saying for a couple years now that part of the "solution" to PCI compliance concerns is to simply get cardholder data out of merchants' hands. This solution helps accomplish that goal. However, it's no panacea, and we need to be cautious how much hope we place in it.

AppSec DC 2010 will be held Nov. 8-11 at the Walter E. Washington Convention Center in Washington, D.C. The first two days will be for training, including my delivery of “Software Security Best Practices” (a KRvW course). I will also be speaking at the conference on the 2nd plenary day (11/11) in the "death" slot (5:10-6pm). I hope to see you all there! :)

The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform
What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success.

Please join Gemini Security Solutions at AppSecDC 2010 where we will be delivering a 2-day “Software Security Best Practices” course based on the materials we support from KRvW Associates. The course is $1,495 and will run November 8-9 here in Washington, D.C.

Course Description:

This tutorial starts with a description of the security problems faced by today’s software developer, as well as a detailed description of how defective software can be exploited. It goes on to provide a thorough description of the best practices available to prevent, detect, and remediate security problems in software. Next, the tutorial includes hands-on design review exercises to reinforce each of the concepts presented, together with dozens of examples of common coding errors (primarily in C/C++ and Java).

http://www.owasp.org/index.php/Software_Security_Best_Practices

I had the opportunity a couple weeks ago to attend the OWASP AppSec USA 2010 conference in Irvine, CA (this post would have gone up last week, but my laptop hdd died while on travel). Unlike some of the larger conferences, AppSecUS was a much more intimate affair with only a few hundred attendees. These types of conferences can be a lot of fun as they lend themselves more naturally to open discourse, sharing of experiences, and the building of community. This event did not disappoint.

There were a couple keynotes that particularly captured my attention. The first was by Jeff Williams, head of Aspect Security and President of OWASP. In it he spoke about the need for building-in security frameworks and enablers as part of our software ecosystem. The other talk that I found particularly interesting was by David Rice in which he used the analogy of the anti-pollution movement, along with relatively new thinking about sustainability and the new notion of "going blue" that was introduced by Adam Werbach. Putting these concepts together, and then mixing it in during ensuring hallwaycon discussions raised some interesting notions in my mind.

A quick missive on airlines and the lies they tell... these are generally half-lies, but lies nonetheless... of all the airlines, Southwest seems to be the most notorious (I've flown 4 airlines in the past 2 wks and their lies have been most egregious). The main source of most of their lies is in false assertions about "FAA regulations." They attribute many of their rules to FAA regulations, but the simple fact is that the rules they are enforcing are their own. However, saying "follow our rules because we said so" sounds far less intimidating and authoritative than "follow the rules because the FAA says so."

Having read through FAA rules previously on a few areas, what I noticed is this: the FAA says that airlines have to set rules regarding various situations, behaviors, and processes. For instance, airlines must have rules around passenger age and age verification. Enforcing their own rules is an FAA requirement, and failing to follow their own rules is, in fact, an FAA violation. However, to say that the rules themselves are from the FAA is a fabrication.

As I finished reading Richard Clarke's book, Cyber War (see Bejtlich's notes on it), this weekend a thought occurred to me based on one of his consistently reiterated points: the Department of Defense seems to be a misnomer, if not an oxymoron. That is, when you think about it, the US DoD doesn't seem to be oriented so much toward "defense" as "offense." This point is not lost on Clarke, who talks about how the American military is ill-prepared and ill-positioned for defending the homeland from cyber-attack. Even worse, the so-called Department of Homeland Security isn't apparently chartered to deal with defending the homeland either so much as it is with protecting government networks, at least in the cyber sense of things (obviously Border Patrol, TSA, and the Coast Guard, among others, are charged with physical protection).

It seems to me that this problem represents a need for a paradigm shift. This is not to say that I think we should charter traditional military functions for operating within our borders, but that we need to rethink our military approach altogether. In part, I think that one of the key failing points in our current cultural and institutional mindsets is that we are too focused on offense and lack any sort of real or necessary competence around defense, resiliency, and self-preservation (note: I've written about self-preservation in the past).